On Sat, Feb 4, 2017 at 2:37 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> On Sat, Feb 4, 2017 at 8:56 AM, Nikita Popov <nikita....@gmail.com> wrote: > >> You are free to prepare a patch, but your patch will not get merged. >> >> Your blatant disregard of any and all feedback you receive on your >> proposals is beginning to get on my nerves. This has played out again and >> again, most recently in the thread on mt_rand() seeding. Here again, you >> make a suggestion, you get two responses, both telling you that your >> suggestion is not acceptable, and what conclusion do you draw from this? >> Why, of course, let's land it anyway! >> >> If people stop replying to your mails, the reason is not that they have >> been convinced by your arguments. The reason is that they have realized the >> pointlessness of the debate. >> > > This is because there is no logical explanation why against to have salt. > Internet RFC clearly states the benefits. Moreover, it recommends salt > whenever > it is possible by emphasizing improved security by salt. Or am I > misunderstood the RFC? > > There isn't any valid reason to have "salt" parameter as the last optional > parameter so far. > Why it should be the last optional parameter? > BTW, I think the other 2 parameters should be optional. string hash_hkdf(string algo, string ikm [, int length = 0, string info = '', string salt = '']) However, salt must be 1st optional parameter at least. Considering most usage with PHP, it should be required and make it optional explicitly. In addition, I would like to have "info" as the first optional parameter. string hash_hkdf(string algo, string ikm, string salt [, string info = '', int length = 0]) - Set salt to NULL if salt cannot be used, reject null string as invalid. Better security by default is the way to go. IMHO. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
